From e3d9358bad40db3dc93ddad5a88a9a43026f7e78 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Sun, 27 Aug 2023 03:48:43 +0200
Subject: [PATCH] Improve Bookworm server setup config.

---
 bookworm/apt-mark/server                  |  6 ++++++
 bookworm/setup_scripts/init_user_login.sh |  1 -
 bookworm/setup_scripts/setup_desktop.sh   |  1 -
 bookworm/setup_scripts/setup_server.sh    | 17 +++++++++++++++++
 4 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 bookworm/apt-mark/server
 create mode 100755 bookworm/setup_scripts/setup_server.sh

diff --git a/bookworm/apt-mark/server b/bookworm/apt-mark/server
new file mode 100644
index 0000000..2ab22d2
--- /dev/null
+++ b/bookworm/apt-mark/server
@@ -0,0 +1,6 @@
+# so we can login at all …
+openssh-server
+# firewalling
+nftables
+# We want to be able to use ALL our servers as borg backup destinations.
+borgbackup
diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh
index 78a891b..8413cd8 100755
--- a/bookworm/setup_scripts/init_user_login.sh
+++ b/bookworm/setup_scripts/init_user_login.sh
@@ -7,7 +7,6 @@
 #
 # Dependencies: ssh, scp, properly configured sshd_config file in reach.
 set -e
-set -x
 . ./misc.sh
 
 # Location of an sshd_config with "PermitRootLogin no" and
diff --git a/bookworm/setup_scripts/setup_desktop.sh b/bookworm/setup_scripts/setup_desktop.sh
index 42cd779..9df5512 100755
--- a/bookworm/setup_scripts/setup_desktop.sh
+++ b/bookworm/setup_scripts/setup_desktop.sh
@@ -1,6 +1,5 @@
 #!/bin/sh
 set -e
-set -x
 . ./misc.sh
 
 expect_n_args 1 "(system name)" "$@"
diff --git a/bookworm/setup_scripts/setup_server.sh b/bookworm/setup_scripts/setup_server.sh
new file mode 100755
index 0000000..3324962
--- /dev/null
+++ b/bookworm/setup_scripts/setup_server.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Next setup steps for a server whose login policy has just been set from
+# the outside via ./init_user_login.sh.
+set -e
+. ./misc.sh
+
+expect_n_args 2 "(hostname, FQDN)" "$@"
+hostname="$1"
+fqdn="$2"
+additional_arg="$3"
+
+# If we have not yet set the shell for user plom, ensure it here. This
+# is mostly for convenience.
+usermod -s /bin/bash plom
+
+# Enable firewall.
+systemctl enable nftables.service
-- 
2.30.2